change php extension on file upload

New to mod_rewrite? This is a good place to start.

change php extension on file upload

Postby sethwalt » Fri Sep 04, 2009 10:46 am

Hello, all. Sorry if I'm posting a topic that's already been discussed. I searched but couldn't find what I was looking for in another thread. I'm new at all this, so please be gentle.

I have two questions:

1) On a site that allows file uploads, I've taken some security measures (allowing only certain file extensions when the php checks the upload form, using -ExecCGI in my htaccess file, chmoding uploaded files to 0644) but would also like to have the htaccess file change php file extensions to something more innocuous. I found a piece of code that is supposed to do this, but I can't seem to get it to work:

Code: Select all
#rename php files
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^PUT$ [OR]
RewriteCond %{REQUEST_METHOD} ^MOVE$
RewriteRule ^(.*)\.php /site_redone/uploads/$1.nophp


the site structure goes something like this (at least for now while I'm redoing the site):
mysite.com/site_redone/uploads

For now, index/main pages are in the site_redone directory, in case that's not clear. I'm on a shared server, so I don't have access to files like httpd.conf, but the host does allow mod_rewrite stuff.

My htaccess file is currently in the uploads folder. Which brings me to:
2) Is there a way to put the htaccess folder one level up (or wherever) from the uploads folder so it can't get overwritten in that folder? I only want it to affect the uploads folder, not the directory in which it's placed, though.

What I'm looking to do may be overkill anyway. It's a small site.

Thanks!
sethwalt
 
Posts: 3
Joined: Fri Sep 04, 2009 10:21 am

Postby richardk » Sat Sep 05, 2009 8:17 am

#1
When a file is uploaded, you want the actual files filename to be changed if it has a .php extension? As far as i know mod_rewrite can't do this, but you can do it in your PHP upload script.

#2
If your regular expressions was ^uploads/something it would only affect URLs that started with uploads/ (relative to the .htaccess directory).
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby sethwalt » Sat Sep 05, 2009 10:59 am

Thanks for replying, Richard!

#1: The code I got was out of apress' The Definitive Guide to Apache mod_rewrite, but the copy of the book that I have is a couple of years old, so you know how that goes. Clearly the code isn't working as I intended, no matter how many path permutations I try, so you may very well be right. I was just looking for something to supplement the security in my php, which currently limits the file extensions being uploaded to a select few. I'll add an extra check in the upload code, though, to search out and replace any php extensions, too.

#2: I didn't explain myself well enough. I (somewhat) understand the paths stuff in the mod_rewrite, but I'm more concerned with protecting the other code in that .htaccess file. I have AddHandler cgi-script .php Options -ExecCGI to stop php script execution, so I'd like to place that file outside the uploads directory so no one can overwrite it with an upload. But if I move the .htaccess file, it affects the new folder where it's been placed. I don't know how to direct its attention to the uploads folder, if that makes sense. But it's not a huge deal to leave it in the uploads folder. I've included something in the php to disallow uploads of files that begin with "." so that should provide some protection. I'm just not as knowledgeable about security as I probably should be, so I'm trying to cover my bases.

Anyway, thanks!
sethwalt
 
Posts: 3
Joined: Fri Sep 04, 2009 10:21 am

Postby richardk » Sun Sep 06, 2009 3:30 pm

#1. When you upload with a HTML form (to a PHP script) it will be a POST request and there will be no chance for mod_rewrite to do anything to the file(name). I think your snippet is intended for WebDAV or similar which is more like FTP.

#2 I couldn't find anything that let you apply directives in one .htaccess file to sub directories. You'll probably be safe if you check the filename in your upload script.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby sethwalt » Mon Sep 07, 2009 7:22 am

Ah ha! Now it's all starting to make more sense. This is the problem with finding code snippets: no context. Thanks for explaining!
sethwalt
 
Posts: 3
Joined: Fri Sep 04, 2009 10:21 am


Return to Beginner's Corner

Who is online

Users browsing this forum: No registered users and 36 guests

cron